‘Quick fix’ compliance measures to meet the latest PCI DDS deadline, which is due to kick in on 30 September, will not suffice, warns LogRhythm, particularly with the penalties for non-compliance being more costly and onerous than ever.

With merchants currently focused on achieving compliance, which will see all level one merchants – those processing more than six million transactions per year – adhere to the original v1.2 guidelines, LogRhythm is concerned that compliance is not being viewed as an ongoing requirement.

“Many merchants are falling into the trap of viewing PCI DSS as a list of requirements that simply need to be ticked off a list within a specific timeframe,” explained Ross Brewer, VP and MD of international markets at LogRhythm. “However, compliance is not a one-time only requirement, instead organisations should approach it as an ongoing process that requires the automation and optimisation of increasingly complex IT and data operations.”

Responsibility for PCI compliance should also not fall to just a single business division, and the firm believes merchants are failing to consider how the measures it prescribes can improve operational efficiency across all areas of the organisation.

“Many merchants are taking a siloed approach to PCI DSS, thinking about how it impacts card transaction procedures, rather than viewing it as a set of best practices that can actually improve the performance of the entire business,” continued Brewer. “While such ‘kneejerk’ responses to PCI mandates may seem relatively cheap to implement, in reality they are a false economy. Instead, it makes sense to deploy monitoring solutions that can add value in as many areas as possible, after all, there is a significant difference between simply complying and actually doing something that benefits the business as a whole.”

Merchants should view automated, centralised and fully integrated log management platforms, which are capable of providing deep insight into how IT systems are being used across the whole business and on an ongoing basis, as the cornerstone of their compliance strategies, said LogRhythm.

According to the latest UK Security Breach Investigation Report, of all the merchants committing a cardholder data breach in 2010, none were compliant with PCI DSS requirement number ten, which states that merchants must regularly monitor access to network resources in order to proactively spot unusual or suspicious behaviour.

Share Story: